How to secure a web application with WildFly Swarm

What’s this blog post about?

The focus of this post is to create and secure a microservice with Java EE. More detailed, a simple REST application with JAX-RS is created with WildFly Swarm and security functionalities are added with Keycloak. The result will be a simple microservice and can be deployed on any Java platform.

What is WildFly Swarm?

That’s how the developers describe it: “…innovative approach to packaging and running Java EE applications by packaging them with just enough of the platform to java jar your application”.
My understanding in short: A simple way to create an individual microservice which can be run on any Java platform.

As described in its documentation, WildFly Swarm splits the WildFly Application Server into “fine-grained parts” called “fractions” and makes it possible to put those parts together to your application as so called “uberjars”. The “uberjar” is a self-contained and executable Java archive. So it’s nothing more than a standard jar file with your application, the required WildFly logic and the Buildfile with all dependencies. That means, if you only need JPA, JAX-RS and transactions within your application, you can select those fractions and include them in your maven dependencies (Note: Gradle is supported as well.) You want to add Logstash and Swagger? Then add it to your dependencies! You don’t need transactions? You just have to remove them! If you’re tired of manually adding dependencies to your Buildfile, you can also use the “WildFly Swarm Project Generator” and select all needed fractions for your application and download the result as a zip file.

What is Keycloak?

That’s how the developers describe it: “Keycloak is an SSO solution for web apps, mobile and RESTful web services. It is an authentication server where users can centrally login, logout, register, and manage their user accounts.”
My understanding in short: A way to secure your microservice with a lot of features (like SSO, Social Login,…).

Keycloak is built on top of the OAuth 2.0, Open ID Connect, JSON Web Token (JWT) and SAML 2.0 specifications. Main features are the centralized management of users/roles and the possibility to deploy it with an existing app server, as a black-box appliance, or as an Openshift cloud service. It provides Social Login capabilities, Single-Sign-On, LDAP integration and many more security functionalities (http://keycloak.jboss.org/). Note: The focus of this post is not to show all features of Keycloak, but only the ones needed to secure your microservice.

How to create your application?

Here are the steps to create a simple REST application with a standalone Keycloak Server:

Congratulations! You have created a microservice with built-in security in just a few minutes.

What’s inside?

Let’s have look what’s inside the generated project and start with the pom.xml:

pom.xml - Part 1

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

<modelVersion>4.0.0</modelVersion>

<groupId>de.novatec</groupId>

<artifactId>security</artifactId>

<name>Wildfly Swarm Example</name>

<version>1.0.0-SNAPSHOT</version>

<packaging>war</packaging>

<properties>

<version.wildfly.swarm>1.0.0.CR1</version.wildfly.swarm>

<maven.compiler.source>1.8</maven.compiler.source>

<maven.compiler.target>1.8</maven.compiler.target>

<failOnMissingWebXml>false</failOnMissingWebXml>

<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>

</properties>

<dependencyManagement>

<dependencies>

<dependency>

<groupId>org.wildfly.swarm</groupId>

<artifactId>bom</artifactId>

<version>${version.wildfly.swarm}</version>

<scope>import</scope>

<type>pom</type>

</dependency>

</dependencies>

</dependencyManagement>

<build>

<finalName>security</finalName>

<plugins>

<plugin>

<groupId>org.wildfly.swarm</groupId>

<artifactId>wildfly-swarm-plugin</artifactId>

<version>${version.wildfly.swarm}</version>

<executions>

<execution>

<goals>

<goal>package</goal>

</goals>

</execution>

</executions>

</plugin>

</plugins>

</build>

As you can see in line 6 the packaging is pre-configured as “war”. In the following lines you can see the plugin dependencies of WildFly Swarm, starting with the BOM (“Bill Of Materials”) dependency and the wildfly-swarm-plugin. That’s all! The last few lines are the dependencies for Java EE 7 and the ones you selected for the generator: JaxRS, Keycloak and Keycloak Server. Those are dependencies which are provided by the WildFly Swarm project and differ from the standard project dependencies:

pom.xml - Part 2

1

2

3

4

5

6

7

8

9

10

11

12

<dependency>

<groupId>org.wildfly.swarm</groupId>

<artifactId>jaxrs</artifactId>

</dependency>

<dependency>

<groupId>org.wildfly.swarm</groupId>

<artifactId>keycloak</artifactId>

</dependency>

<dependency>

<groupId>org.wildfly.swarm</groupId>

<artifactId>keycloak-server</artifactId>

</dependency>

The project also contains two Java classes. The RestApplication containing the ApplicationPath…

RestApplication

Java

1

2

3

4

5

6

7

8

packagecom.example.rest;

importjavax.ws.rs.core.Application;

importjavax.ws.rs.ApplicationPath;

@ApplicationPath("/rest")

publicclassRestApplicationextendsApplication{

}

… and the HelloWorldEndpoint with the path and a simple GET operation:

How to secure your application?

Login with your new user (Note: the user will be automatically added to the ‘admin’ role)

Navigate to Clients

Add a new client with the following data Note: Clients are trusted browser apps and web services in a realm, which can request a login. In our example it is the path of the above created REST application which will be called via a web browser.

Navigate to the “Installation” tab and select Format Option “Keycloak OIDC JSON” Note: This file is a client adapter configuration in JSON format and supports the OpenID Connect (OIDC) protocol which you can download or cut and paste to configure your clients.

Click on download and save it to the src/main/webapp/WEB-INF directory of your unzipped project

Add the following web.xml to the same directory (src/main/webapp/WEB-INF). It includes the definition of the authorization method “KEYCLOAK”:

web.xml

XHTML

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

<web-app>

<module-name>rest</module-name>

<security-constraint>

<web-resource-collection>

<url-pattern>/*</url-pattern>

</web-resource-collection>

<auth-constraint>

<!-- Role of the previously created user -->

<role-name>admin</role-name>

</auth-constraint>

</security-constraint>

<login-config>

<!-- Set authorization method to KEYCLOAK instead of BASIC -->

<auth-method>KEYCLOAK</auth-method>

<realm-name>master</realm-name>

</login-config>

</web-app>

Stop your previous execution in the terminal (Ctrl + C)

Run “mvn package” and “mvn wildfly-swarm:run” or “java -jar security-swarm.jar” in the “target” directory of your project.

What’s next?

It’s up to you! With the work done so far it is possible to extend your microservice with more functionalities: Let’s think of log analysis with Logstash or persisting data with JPA or UI elements with JSF. Keep in mind that you can deploy your project anywhere and everywhere conform to the microservice “guidelines”. The focus of this post was just to show you one way to create and secure a microservice with WildFly Swarm and Keycloak. The concept of WildFly Swarm, to split the application server to “fractions”, is a great approach towards microservices and is in my opinion a concept with future potential. With Keycloak you can secure your application and provide further security functionalities, but admittedly it is not the most lightweight solution if you only need basic authentication. Therefore in one of my next posts I will show you a more lightweight solution to secure web applications.

Author

Comment article

Comments

Duygu Kücük

Hi Simon,

unfortunately the source is not available on GitHub, but you can easily generate the introduced sample application with the project generator.
You can find the default main class in org.wildfly.swarm.Swarm. Please also refer to the documentation (No User-Provided main(…))

26. September 2016 |

Simon

Is the source available on github? I would like to see the main class of this program.